There is no doubt that new risks emerge daily. I think there are two important things to consider here. First, I think all managers need to ask themselves two key questions: What risks might prevent me from meeting my objectives for the chief executive? How adequate is my current mitigation strategy?
– Bruce Carpenter, Vice President of Corporate Audit, SAP

In his blog on the Web site for the Institute of Internal Auditors (IIA), IIA President and CEO Richard Chambers commented about a challenge internal auditors face in assessing emerging risks:

“Internal auditors have become increasingly effective in assessing traditional risks; however, the ability to identify and assess emerging risks presents new challenges and requires even greater proficiency. Emerging risks are the newly developing risks that cannot yet be fully assessed but that could, in the near future, affect the viability of our organizations’ strategies and business models. These risks have no track record, so despite the fact that our risk assessment techniques are becoming more sophisticated each year, new and emerging risks are still the most difficult risks for us to identify and quantify.”

On the same site, Norman Marks, a former vice president at SAP, referred to the following findings from an AuditNet survey on the state of technology use by auditors:

•  “While audit software tools have been available for almost 2 decades, auditors and audit departments are not making full use of the technology.
• Auditors use audit software tools mostly on an ad hoc basis with some repetitive use, and departments do not have a strategy or plan to integrate technology in the audit process.
• The main reason for limited use of audit technology tools is the cost of the software and training and management resistance to change.”

I asked Bruce Carpenter, vice president of corporate audit at SAP, to comment on these statements and to answer some questions about how organizations can meet challenges pertaining to internal auditing and risk assessment.

Richard Chambers sees challenges ahead for internal audit teams with regard to assessing emerging risks. Could you comment on what measures an organization can take to identify and mitigate new risks?

There is no doubt that new risks emerge daily. I think there are two important things to consider here. First, I think all managers need to ask themselves two key questions: What risks might prevent me from meeting my objectives for the chief executive? How adequate is my current mitigation strategy? This will immediately provide a key to the top strategic risks facing the organization. Second, the organization needs to have a defined process to update their risk assessment for regulatory changes and other emerging risks. Fortunately, there is a lot of industry benchmarking information available from the big four and other major advisory firms. Audit and compliance officers are generally well networked with their peers, and these knowledge-sharing platforms definitely help to develop best practice approaches to managing emerging risks. Another place to look for emerging risks is in capital budgets. In many cases capital spending is being driven by a perceived emerging risk or opportunity. The business case may not necessarily mention the risk, but it is clear that the spend is aimed at a risk of some sort, such as competition or climate change.

Could you describe best practices to follow to integrate technologies in the audit process?

It is always important to make sure that technology needs are matched with business requirements. A needs analysis is an important starting point here. The next step is to understand what the current IT landscape looks like, and the extent to which existing applications are interconnected. Then, moving to the applications themselves, it is useful to consider their business relevance, and how well each meets current and future needs. Finally, understanding usability issues or functionality limitations is also important.

Armed with this information, organizations can identify integration priorities. Identifying a common GRC platform such as SAP will always maximize the benefits of integration and assist to develop a unified framework. Over time, we can expect technology to become increasingly important as a knowledge source.

Use of mobile applications is increasing among businesses. What emerging risks do you think an internal audit team should focus on with regard to mobile apps?

I think it is important to step back and understand what the shift to mobile devices means for organizations. At one point, the auditor could easily “ring-fence” the organization, with data security standards designed for mainframe and laptop computing. Mobile devices are smaller, lighter and now, more powerful than ever before. And they contain a combination of company and personal data. The big question with the use of mobile devices is security — both of data and of intellectual property. It is relatively easy to misplace a mobile device, and the consequences in terms of data security need to be considered. Fortunately, there are technologies available on the market to remotely wipe and disable devices, and to retrieve the associated information.

Could you cite some benefits of using analytics provided by SAP HANA or another application to streamline internal audit processes?

It has been interesting to watch the move from sampling to data analytics. Auditors traditionally make decisions on a population of data (e.g., accounts payable for June 2013) by choosing a sample designed to be representative of the entire population and testing those transactions. Now, by defining parameters to identify suspicious transactions, auditors can use applications such as SAP HANA to test the whole population. Additionally, the testing can be more robust — for example, running the vendor master file against the employee population to identify potential conflicts of interest. SAP HANA offers the additional benefit of being able to search across unstructured data, such as PDF files, and this can greatly enhance the quality of audit outcomes. Predictive capabilities and cross-system monitoring are also possible.

What about cloud computing? Can you cite an example of a challenge related to cloud computing that an organization may face?

For me, the obvious choice is governance. Your cloud partner needs to be someone you can trust. As auditors, we are trained to trust, then verify. So your cloud partner needs to demonstrate transparency in every aspect of their service provision. You need sufficient visibility to understand all the links in the service provision chain, and to be transparent about the ability of each component to meet international standards.

But I think it is also important to place these challenges in the context of potential benefits of the cloud — speed of implementation and lower costs of ownership. And also consider that over time, the quality of your cloud software product will improve incrementally as a result of feedback from you and other customers. The market will progressively require the development of best-practice software. Data in the cloud may also be more secure in the sense that it is not as vulnerable to physical destruction.

Gary Byrne

Gary is the managing editor of Financials Expert and SCM Expert. Before joining WIS in March 2011, Gary was an editor at Elsevier. In this role he managed the development of manuscripts for Elsevier’s imprint responsible for books on computer security. Gary also has held positions as a copy editor at Aberdeen Group, a Boston-based IT market research company, and as an editor at Internet.com, a publisher of content for the IT community. He also gleaned experience working as a copy editor for International Data Corp., a Framingham, MA-based IT market research company. He earned a bachelor of science degree in journalism from Suffolk University in Boston. He enjoys traveling, sailing as a passenger onboard schooners, and helping his wife, Valerie, with gardening during summer weekends. He’s a fan of all the Boston sports teams and once stood behind Robert Parish in a line at BayBank. He felt small and didn’t ask for an autograph. You can follow him on Twitter at @FI_SCM_Expert. His online footsteps can also be found in the SAP Experts group on LinkedIn.

You may contact the author at gary.byrne@wispubs.com.

If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.